Encryption: Why we’re in choppy water for the future of digital security

The Australian Parliament just approved the hotly contested Telecommunications and Other Legislation (Assistance and Access) Bill.

One of the new powers with the passage is the ability to issue technical capability notices to companies that provide encrypted products and services, requiring them to ensure their systems would allow “exceptional access” (i.e. access for law enforcement and/or intelligence agencies).

This follows the UK Investigatory Powers Act 2016, which contains a similar power; the statement from the Five Country Ministerial in August, says “should governments continue to encounter impediments to lawful access to information … we may pursue technological, enforcement, legislative or other measures to achieve lawful access solutions.” There have also been recent court cases in the United States to enable the government to access Apple and Facebook communications.

Just last week at the Georgetown University Cybercrime 2020 Conference, U.S. Deputy Attorney-General Rosenstein renewed his call for “technology companies to develop ‘responsible encryption’ — effective, secure encryption that resists criminal intrusion but allows lawful access with judicial authorization.”

But, the reality is that with encryption, there is no such thing as “exceptional” access.

Adding points of entry around encryption creates new vulnerabilities that could be exploited by attackers, not just by law enforcement and intelligence agencies. While circumventing encryption might seem like an answer, measures to “bypass” encryption simply undermine it and the trust users have in the security of their messages and data.

It does not matter if only limited agencies for very restricted purposes are able to ask for a technical capability notice. The risks remain.

In any case, if exceptional access were built into the products and services used by law-abiding citizens, criminals and terrorists would simply seek out “underground” encryption services or make their own, effectively side-stepping the outcome the Australian government is hoping to achieve.

Also, companies that are asked to provide exceptional access might turn off end-to-end encryption, deactivate “encryption on by default,” disable smartphone “kill switches” or take away users’ sole ability to decrypt their smartphones. These are the very features that have vastly improved the security and privacy of Internet users’ communications.

Even if encryption remains untouched, if law causes companies to provide exceptional access by modifying other systems or by failing to choose stronger security mechanisms, the security and confidentiality of users’ encrypted content is still at risk.

The security of our communications depends not only on the strength of encryption, but also the security of other systems used to provide those encrypted services.

By weakening the security of everyone’s encrypted services in this way, Australia could change the course of digital security, putting the strength of its digital economy in jeopardy and exposing the country and all its users to greater risk from security threats.

Stronger, Not Weaker Encryption is the Answer

Making good decisions in a period of rapid global transition is never easy, especially when the trajectory is unclear and our concerns about the ability for terrorists to communicate secretly have the strong pull of immediacy. It is understandable that, as governments become more aware of threats posed in the digital world, their first instinct would be to clamp down on those threats. But, we must be wary of breaking security for everyone, to pursue a few.

In a world where theft of digital information is an ever-present and increasing threat, governments need to be a strong proponent of encryption (especially end-to-end encryption for communications) and other digital security technologies that help secure data.

We should be talking about ways to make digital security stronger and universal, not how to weaken it for any purpose, even law enforcement.

To fully protect users, with security, privacy and trust at the core of our decisions, we should be discussing how to increase the use of encryption, make it easier to use, and harder to thwart.

When we fail to protect data, we fail to protect people.

Australia has the potential to enjoy the benefits the Internet has to offer. But we cannot and should not allow concerns about access to undermine the value that encryption provides in securing data and protecting our communications. Undermining encryption will only leave us less secure, not more.

Christine Runnegar is the senior director of Internet trust at the Internet Society, a non-profit organization founded in 1992 to provide leadership in Internet-related standards, education, access, and policy. She leads the non-profit’s trust agenda which advocates for policies that support an open, globally-connected and secure Internet.